[00:00.000 --> 00:03.380]  Thanks everyone for attending my talk.
[00:03.400 --> 00:07.360]  So those of you who don't know me,
[00:07.360 --> 00:10.880]  I am a PhD candidate at Arizona State University.
[00:11.180 --> 00:14.380]  I am specializing in use of artificial intelligence
[00:14.380 --> 00:18.560]  and machine learning in the field of cybersecurity.
[00:18.560 --> 00:22.200]  I'm also a security consultant at Bishop Fox.
[00:22.340 --> 00:24.160]  I also authored a book
[00:24.160 --> 00:27.820]  known as Software Defined Virtual Network Security,
[00:27.820 --> 00:31.620]  dealing with security in software-defined systems.
[00:31.840 --> 00:34.720]  I'm also co-founder of DevilSec,
[00:34.720 --> 00:37.760]  which is the hacking club that we have at ASU.
[00:37.760 --> 00:40.820]  I've worked for BlackBerry and Public Services
[00:40.820 --> 00:43.460]  and Computer Sciences Corporation in the past,
[00:43.460 --> 00:46.920]  and this is my contact information.
[00:46.980 --> 00:51.280]  So let's dive into the overview of the talk.
[00:51.280 --> 00:53.940]  What is the motivation?
[00:53.940 --> 00:58.180]  What would be the overview of our system, ASAP?
[00:58.260 --> 01:02.500]  There are three main modules in the system.
[01:02.500 --> 01:09.040]  Stringer, which is used for the discovery of information,
[01:09.040 --> 01:12.100]  both services and vulnerability in the network.
[01:12.100 --> 01:16.300]  Americano, which is used for analysis of different paths
[01:16.300 --> 01:18.960]  an attacker can take in a network.
[01:18.980 --> 01:21.800]  And Cappuccino, which is our AI-based
[01:21.800 --> 01:25.180]  autonomous attack plan generator.
[01:25.900 --> 01:29.120]  And finally, we do the validation of these attack plans,
[01:29.120 --> 01:31.500]  and we will jump into the demo
[01:31.500 --> 01:36.260]  after the end of the presentation.
[01:36.920 --> 01:40.880]  So let's see what is machine learning.
[01:40.880 --> 01:44.740]  It's a statistical way of learning from the information
[01:45.520 --> 01:46.940]  present in your network,
[01:46.940 --> 01:49.420]  what kind of network traffic you have,
[01:49.420 --> 01:51.520]  the logs on your system.
[01:51.520 --> 01:54.820]  So using some pattern recognition
[01:54.820 --> 01:58.880]  to identify some attack patterns in a network,
[01:58.880 --> 02:01.820]  we use machine learning techniques for that.
[02:01.820 --> 02:04.900]  And it's already been used successfully
[02:04.900 --> 02:08.080]  in things like spam detection on your email.
[02:08.080 --> 02:12.360]  You don't get those Nigerian Prince emails these days
[02:12.360 --> 02:16.360]  because of amazing job done by spam detection systems.
[02:17.080 --> 02:19.300]  Artificial intelligence, on the other hand,
[02:19.300 --> 02:25.120]  it perceives the network traffic,
[02:25.120 --> 02:27.120]  what kind of activities are going on
[02:27.120 --> 02:28.920]  within the environment,
[02:28.920 --> 02:32.760]  and uses that information to take some decisions.
[02:32.760 --> 02:36.360]  So it basically acts on the information
[02:36.360 --> 02:39.560]  provided by different agents in the environment.
[02:39.560 --> 02:43.620]  You can think of smart ideas
[02:43.620 --> 02:47.800]  that we can design in a system,
[02:47.800 --> 02:49.620]  which basically collects information
[02:49.620 --> 02:52.060]  from different parts of the system,
[02:52.060 --> 02:53.740]  updates its beliefs,
[02:53.740 --> 02:58.100]  and then takes some intrusion prevention system measure.
[02:58.100 --> 03:02.080]  So that is something that we can take the help
[03:02.080 --> 03:03.680]  of AI in designing.
[03:05.740 --> 03:08.080]  AI and machine learning have found
[03:08.080 --> 03:11.860]  some useful applications in cyber security,
[03:11.860 --> 03:14.180]  both in industry and research.
[03:14.180 --> 03:17.680]  We use the attack patterns for detection
[03:17.680 --> 03:20.420]  to basically identify malicious actors
[03:21.040 --> 03:22.880]  within our network.
[03:22.880 --> 03:27.420]  And we try to see if the attacks
[03:27.420 --> 03:29.080]  are very stealthy in nature.
[03:29.080 --> 03:31.640]  There are attacks like advanced persistent threat,
[03:31.640 --> 03:35.340]  which are basically slow and low kind of attacks,
[03:35.340 --> 03:36.860]  which are hard to detect.
[03:36.860 --> 03:41.020]  They are carried over like multiple days.
[03:41.620 --> 03:43.480]  A good example is Sony hack,
[03:43.480 --> 03:47.360]  which was carried out over a period of several months.
[03:47.380 --> 03:49.680]  So identifying some valuable patterns
[03:49.680 --> 03:52.960]  from those kinds of attacks is some place
[03:52.960 --> 03:56.780]  where we can definitely utilize machine learning.
[03:57.500 --> 04:02.880]  And there are recent investigation
[04:04.500 --> 04:09.860]  in the use of AI to design deception based system,
[04:09.860 --> 04:13.740]  moving target defense and cyber deception in general
[04:13.740 --> 04:18.500]  are two ways or two fields of research
[04:18.500 --> 04:23.440]  that explore how to identify the attack patterns
[04:23.440 --> 04:26.740]  in a network and basically use that information
[04:26.740 --> 04:30.800]  to present a fake view of the network to an attacker
[04:31.180 --> 04:34.380]  and deceive him into honeypots
[04:34.380 --> 04:38.360]  where they can do further analysis of his attack intentions.
[04:40.640 --> 04:45.120]  So why do we need AI and machine learning in cybersecurity?
[04:45.120 --> 04:47.780]  And I did some background research
[04:47.780 --> 04:52.120]  and it's estimated that there will be 25 billion IoT devices
[04:52.440 --> 04:56.000]  in US by 2021.
[04:56.000 --> 04:59.380]  And the investment in cybersecurity
[04:59.380 --> 05:02.760]  will be up to a trillion dollars.
[05:02.980 --> 05:06.000]  With penetration testing, if we look at it,
[05:07.000 --> 05:10.580]  market size would be 3.2 billion US dollars.
[05:10.580 --> 05:14.880]  So the number of devices are growing perhaps
[05:15.890 --> 05:17.680]  at a quadratic scale,
[05:17.680 --> 05:22.400]  but we have a shortage of cybersecurity workforce.
[05:22.400 --> 05:26.220]  It's estimated that 65% of the organizations
[05:26.220 --> 05:30.340]  feel that their staff is not very well equipped
[05:30.990 --> 05:34.500]  in cybersecurity.
[05:35.110 --> 05:38.560]  And 36% of the organization reported that
[05:38.560 --> 05:42.400]  there is a lack of training
[05:43.470 --> 05:49.160]  or skills in existing cybersecurity workforce.
[05:49.340 --> 05:52.700]  So that is where we plan to use AI
[05:52.700 --> 05:55.470]  to kind of bridge this gap.
[05:59.090 --> 06:01.720]  So if you look at a very practical example
[06:01.720 --> 06:06.620]  of application of artificial intelligence,
[06:06.620 --> 06:09.440]  DARPA Cyber Grand Challenge was one place
[06:09.440 --> 06:13.020]  where AI was successfully applied.
[06:13.020 --> 06:16.660]  There were seven participating schools, seven or eight,
[06:16.660 --> 06:20.540]  who took part in a hacking competition
[06:20.540 --> 06:24.680]  where each school was trying to
[06:25.840 --> 06:28.780]  target the infrastructure of everybody else
[06:28.780 --> 06:32.020]  while keeping its own infrastructure secure.
[06:32.040 --> 06:34.420]  So the important catch was that
[06:34.420 --> 06:37.060]  all of these participants were AI,
[06:38.020 --> 06:40.980]  not AI, but autonomous systems.
[06:40.980 --> 06:47.240]  And there was no human involved in this competition.
[06:47.240 --> 06:53.200]  So Mayhem, which was a company based out of CMU,
[06:53.200 --> 06:56.240]  they automated what white hat hackers could do.
[06:56.240 --> 06:58.840]  So they found and exploited the weaknesses
[06:59.900 --> 07:02.380]  present in these system.
[07:02.380 --> 07:05.460]  What they did was they created a mathematical model
[07:05.460 --> 07:09.080]  of the paths that attacker can take.
[07:09.080 --> 07:10.820]  And then they used two techniques,
[07:10.820 --> 07:13.220]  symbolic execution and fuzzing.
[07:13.220 --> 07:17.460]  So symbolic execution was the way
[07:17.940 --> 07:21.780]  to point out interesting code paths.
[07:21.780 --> 07:25.400]  And fuzzing was kind of a hammer,
[07:25.400 --> 07:27.760]  which was hammering through those code paths
[07:27.760 --> 07:31.120]  to exploit the vulnerabilities pointed out
[07:31.120 --> 07:33.740]  using symbolic execution.
[07:33.780 --> 07:36.220]  And they won this championship
[07:36.220 --> 07:41.560]  and they managed to find 14,000 vulnerabilities
[07:41.560 --> 07:44.440]  on Debian system as well.
[07:44.440 --> 07:47.060]  And 250 of these vulnerabilities were new.
[07:47.060 --> 07:52.420]  So imagine a human attacker trying to do all this,
[07:52.420 --> 07:54.940]  it's kind of difficult.
[07:54.940 --> 07:57.800]  And this shows a successful motivation
[07:57.800 --> 08:01.420]  to use machine learning and AI
[08:01.420 --> 08:03.320]  in the field of cybersecurity.
[08:04.520 --> 08:07.980]  So if you look at our system, ASAP,
[08:07.980 --> 08:10.320]  there are four main modules.
[08:10.320 --> 08:14.280]  Stinger, which is, S stands for scanning.
[08:14.280 --> 08:17.180]  So we use Stinger for scanning and Recon.
[08:18.060 --> 08:21.640]  The information from Stinger is fed into Americano.
[08:21.640 --> 08:23.940]  So A stands for attack analysis.
[08:23.940 --> 08:29.740]  And we use this information from Americano
[08:29.740 --> 08:34.500]  to identify the attack states in the network.
[08:34.500 --> 08:39.580]  Latte, which is a module, L stands for log here.
[08:39.580 --> 08:42.740]  So it's a module which identifies network and host logs
[08:42.740 --> 08:46.240]  to gather the threat evidence.
[08:46.240 --> 08:50.660]  And Cappuccino, which is kind of the network controller,
[08:50.660 --> 08:54.700]  it takes all this information from Americano and Latte
[08:56.920 --> 09:04.440]  to encode in form of AI model, Markov decision process.
[09:04.720 --> 09:07.880]  And based on that model, it identifies some attack plans,
[09:07.880 --> 09:12.060]  like if a penetration tester were to test
[09:12.060 --> 09:14.420]  or attack this network,
[09:14.420 --> 09:19.720]  what kind of plan would yield him maximum output?
[09:20.660 --> 09:24.280]  And eventually we can execute these attack plans
[09:24.280 --> 09:26.100]  on a cloud or web application
[09:27.560 --> 09:31.440]  and update the risk score and attack graph,
[09:31.780 --> 09:33.780]  which is basically Americano.
[09:35.760 --> 09:40.340]  So I am addicted to caffeine.
[09:40.340 --> 09:43.040]  That is why I chose the name of these modules
[09:43.040 --> 09:46.460]  based on different kinds of coffee flavors.
[09:47.360 --> 09:50.460]  So let's dive deeper into Stinger.
[09:50.460 --> 09:53.360]  So Stinger basically scans the network topology
[09:53.360 --> 09:58.040]  for service information and discovers the vulnerability.
[09:58.040 --> 10:03.240]  So we have automated Nessus and OpenVS APIs
[10:03.240 --> 10:08.060]  to identify this attack information.
[10:08.820 --> 10:12.300]  And this attack information is then fed into Americano,
[10:12.300 --> 10:15.000]  which is attack graph generation tool.
[10:16.540 --> 10:21.040]  So let's look at one of the known vulnerabilities.
[10:21.180 --> 10:24.420]  This is a shell shock vulnerability,
[10:24.420 --> 10:26.980]  and there are different parameters
[10:26.980 --> 10:29.120]  from common vulnerability scoring system
[10:29.120 --> 10:30.980]  for this particular vulnerability.
[10:30.980 --> 10:35.320]  Like you need just a network access to execute this attack
[10:35.320 --> 10:38.260]  and it has a low access complexity.
[10:38.260 --> 10:42.660]  So you don't need to do a lot of investment
[10:42.660 --> 10:46.100]  as an attacker to exploit this vulnerability.
[10:46.100 --> 10:50.860]  So this is a example of kind of vulnerability
[10:50.860 --> 10:54.140]  where we can implement some sort of automation
[10:54.140 --> 10:59.820]  once we are able to identify this vulnerability.
[11:01.440 --> 11:04.580]  And the reason of providing this information
[11:04.580 --> 11:06.920]  is that we will see later
[11:06.920 --> 11:09.720]  that how we can use these CVSS parameters
[11:09.720 --> 11:13.120]  like access complexity and possibly CVSS score
[11:13.910 --> 11:18.630]  to encode the information in our AI solver.
[11:20.270 --> 11:21.760]  These are some other parameters
[11:21.760 --> 11:25.420]  like the impact on confidentiality,
[11:25.420 --> 11:28.920]  integrity and availability is very high
[11:28.920 --> 11:32.900]  and attacker can take full control of that system
[11:32.900 --> 11:36.280]  if he were to exploit this particular vulnerability.
[11:37.380 --> 11:41.060]  So let's take a look at a motivating example
[11:41.320 --> 11:43.520]  where attacker is located on internet
[11:43.520 --> 11:47.420]  and his goal is to reach this database server
[11:47.420 --> 11:53.000]  and exfiltrate the information out of database server
[11:53.000 --> 11:55.660]  to his command and control center.
[11:55.660 --> 11:57.840]  And there are some publicly known vulnerabilities
[11:57.840 --> 12:01.120]  on these machines.
[12:03.640 --> 12:07.320]  So basically attacker is trying to exfiltrate
[12:07.320 --> 12:09.400]  the information from database server
[12:09.400 --> 12:11.980]  but there is a firewall on his way
[12:11.980 --> 12:15.660]  so he cannot directly access this database server.
[12:15.660 --> 12:19.180]  So he either needs to go through the web server
[12:19.180 --> 12:23.300]  or wait for internal user
[12:23.300 --> 12:25.900]  to download some of his malicious code
[12:25.900 --> 12:31.160]  and use that as a pivot to go to the database server.
[12:32.460 --> 12:35.960]  And the web server is the only publicly available service
[12:35.960 --> 12:37.120]  in this network.
[12:38.500 --> 12:44.300]  So attacker can try to exploit the web server
[12:44.300 --> 12:45.500]  using unknown vulnerability
[12:45.500 --> 12:49.620]  or he can have some malicious script on a popular website
[12:50.310 --> 12:51.660]  that a user downloads
[12:51.660 --> 12:55.540]  and that way he can gain access into his workstation.
[12:56.280 --> 13:01.160]  And using this, he can then take advantage
[13:01.160 --> 13:02.640]  of the access control list
[13:02.990 --> 13:05.520]  which basically allows any network traffic
[13:05.520 --> 13:07.480]  from web server to go to database server
[13:07.480 --> 13:12.420]  or any workstation traffic to go to database server.
[13:12.420 --> 13:16.820]  And that way the attacker can exploit
[13:16.820 --> 13:18.900]  the SQL injection vulnerability
[13:19.940 --> 13:22.000]  that is present on the database server
[13:22.840 --> 13:26.580]  and then use it to gain persistent access
[13:28.060 --> 13:32.300]  to his command and control center.
[13:33.220 --> 13:36.380]  So you will see that there are two attack paths
[13:36.380 --> 13:41.280]  in this small network to achieve the same goal.
[13:41.300 --> 13:44.000]  So imagine a very giant network
[13:44.000 --> 13:47.080]  with tens of thousands of instances
[13:47.080 --> 13:51.580]  and you are asked to perform a penetration test
[13:51.580 --> 13:55.380]  for that network in a limited period of time.
[13:55.720 --> 14:00.160]  So you need some kind of autonomy or automation
[14:00.860 --> 14:07.420]  in that particular case to be able to have a good coverage
[14:08.120 --> 14:10.120]  in your penetration test.
[14:12.400 --> 14:15.040]  So we saw this example, but what about it?
[14:15.040 --> 14:18.920]  Like, how do we basically use this information?
[14:19.000 --> 14:22.600]  We can do some initial attack analysis based on this example
[14:22.600 --> 14:24.780]  and see that attack is multi-stage
[14:25.660 --> 14:28.200]  and attacker had specific attack vectors
[14:28.200 --> 14:29.200]  for this vulnerability
[14:29.200 --> 14:31.160]  and he went through multiple hosts
[14:32.640 --> 14:35.520]  and he circumvented some of the defenses
[14:35.520 --> 14:37.280]  that were present on the systems
[14:38.240 --> 14:42.040]  to achieve his goal of data exfiltration.
[14:44.200 --> 14:51.360]  So let's discuss on kind of a philosophical level
[14:51.360 --> 14:55.560]  why AI can be used to hack faster.
[14:55.560 --> 14:59.520]  So imagine you are going home on a particular day
[15:00.520 --> 15:03.780]  and you decide to take a turn
[15:03.780 --> 15:07.340]  on Arizona Avenue and Main Street
[15:08.440 --> 15:12.860]  and you have been taking this route forever
[15:12.860 --> 15:14.680]  to reach your home,
[15:14.680 --> 15:19.920]  but you encounter a traffic jam on the way.
[15:21.480 --> 15:24.260]  So you went by your intuition
[15:25.020 --> 15:28.020]  and this got you into a traffic jam.
[15:28.020 --> 15:31.800]  But if you had a GPS to help you navigate,
[15:31.800 --> 15:34.020]  you could have avoided that jam.
[15:34.860 --> 15:37.160]  So similarly, as penetration testers,
[15:37.160 --> 15:40.780]  when we try to go after certain vulnerabilities,
[15:40.780 --> 15:48.040]  we have kind of a preset methodology.
[15:48.040 --> 15:51.360]  So we will go through some authentication issues,
[15:51.360 --> 15:52.640]  authorization issues.
[15:52.640 --> 15:57.140]  We will see if we can use the user management in some way.
[15:57.180 --> 16:00.060]  We can try to see if we can get
[16:00.060 --> 16:02.580]  horizontal privilege escalation.
[16:02.640 --> 16:05.000]  We go after data stores.
[16:05.380 --> 16:07.480]  We go after application logic.
[16:07.480 --> 16:11.300]  If it involves the code review,
[16:11.300 --> 16:13.200]  we go through the procedure of code review
[16:14.220 --> 16:17.340]  and use all of that to see like
[16:18.000 --> 16:20.220]  what's the maximum we can get
[16:21.180 --> 16:23.940]  in this penetration test.
[16:24.360 --> 16:27.560]  But here is the challenge.
[16:27.560 --> 16:32.900]  Like if you have say 20 hours for a particular assessment,
[16:32.900 --> 16:34.180]  do you think on
[16:36.340 --> 16:40.780]  environment where you have to do pen test on application
[16:40.780 --> 16:48.040]  as well as the cloud part of the backend components,
[16:48.360 --> 16:51.200]  it's very challenging to get a good coverage
[16:51.700 --> 16:53.920]  in that scenario.
[16:54.640 --> 17:00.680]  So AI and machine learning can act as kind of
[17:02.040 --> 17:06.300]  navigator for us on these assessments.
[17:06.300 --> 17:12.380]  So we can think of ASAP as kind of AI based GPS
[17:12.380 --> 17:16.280]  to navigate the attack surface.
[17:16.280 --> 17:20.460]  And it may not work on all kind of unknown vulnerabilities
[17:20.460 --> 17:23.380]  like say data encryption issues,
[17:23.380 --> 17:26.320]  which you identify which is a vulnerability,
[17:26.320 --> 17:30.080]  but it can help us in semi-automating
[17:30.080 --> 17:34.820]  some of the tasks that we may miss out.
[17:34.820 --> 17:36.740]  So the worst thing would be that
[17:36.740 --> 17:41.360]  there is a very low complexity vulnerability
[17:41.360 --> 17:43.060]  that was present on the system,
[17:43.060 --> 17:46.560]  but you just ran out of time on your pen test
[17:46.560 --> 17:50.520]  and you couldn't exploit that vulnerability.
[17:50.520 --> 17:52.920]  And later the client finds out,
[17:52.920 --> 17:54.360]  hey, why did you miss it?
[17:54.360 --> 17:57.300]  So then you are in a tough situation.
[17:57.540 --> 17:59.460]  So that is another kind of motivation
[17:59.460 --> 18:02.160]  to develop this kind of a system.
[18:03.900 --> 18:08.120]  So with Americano, we get the information from Stinger
[18:08.900 --> 18:12.440]  and we use these vulnerabilities and software configuration
[18:12.440 --> 18:19.940]  to pass to a first order logic based framework.
[18:20.160 --> 18:22.160]  And that framework basically generates
[18:22.680 --> 18:25.680]  a multi-stage multi-hop attack graph.
[18:25.680 --> 18:27.860]  And attack graph basically shows that
[18:28.430 --> 18:31.400]  different paths an attacker can take in a network
[18:31.400 --> 18:36.060]  to be able to reach his desired goal.
[18:37.980 --> 18:40.720]  So if you look at the definition of attack graph,
[18:40.720 --> 18:42.440]  we have some nodes and edges
[18:42.440 --> 18:46.000]  which are a property of a given graph.
[18:46.040 --> 18:49.080]  There are some fact nodes, NF.
[18:49.400 --> 18:51.240]  Fact nodes will be something like
[18:51.240 --> 18:52.880]  the existence of vulnerability
[18:52.880 --> 18:57.800]  or the existence of network connections.
[18:58.260 --> 19:04.280]  And conjunct node are denoted by NC,
[19:04.280 --> 19:06.340]  the disjunct node are denoted by ND
[19:06.340 --> 19:09.080]  and root node, which is basically goal of attack
[19:09.080 --> 19:11.260]  is denoted by NR.
[19:13.020 --> 19:17.520]  So conjunct node can be something that you can achieve
[19:19.450 --> 19:24.380]  based on your initial exploitation of certain vulnerability.
[19:24.380 --> 19:27.400]  So you have some fact nodes that you combine
[19:27.400 --> 19:28.980]  with these interaction rules
[19:28.980 --> 19:31.540]  that we provide in first order logic
[19:32.010 --> 19:37.360]  to achieve some other conjunct nodes like exact code.
[19:37.360 --> 19:41.220]  So suppose there is a vulnerability buffer overflow
[19:41.220 --> 19:46.060]  on web server and the attacker can access the web server.
[19:46.060 --> 19:48.600]  So if attacker is located on internet,
[19:48.600 --> 19:53.120]  then that can lead to execution of code on web server.
[19:54.640 --> 19:57.140]  And based on that example,
[19:57.140 --> 19:58.840]  the root node in our case would be
[19:58.840 --> 20:02.000]  to gain a root privilege on database server.
[20:04.290 --> 20:07.770]  So there are two kinds of edges.
[20:07.770 --> 20:12.130]  E pre denotes the precondition edge
[20:12.130 --> 20:15.670]  and E post denotes the post condition edge.
[20:15.870 --> 20:18.450]  So a precondition edge basically combines
[20:18.450 --> 20:21.350]  the fact nodes and conjunct node to
[20:24.070 --> 20:27.170]  show that the next possible state
[20:27.170 --> 20:29.850]  that an attacker can achieve.
[20:30.030 --> 20:33.990]  And E post means the edges that are triggered
[20:34.590 --> 20:37.310]  if some preconditions are satisfied.
[20:37.770 --> 20:40.310]  And we have some base initial condition nodes
[20:40.310 --> 20:45.530]  in this attack graph that we can denote using NI.
[20:48.900 --> 20:51.900]  So to simplify this, we have some advisories
[20:52.960 --> 20:57.300]  that we identify based on the scanning of the network.
[20:57.600 --> 20:59.800]  We have host configuration information,
[20:59.800 --> 21:02.740]  we have network configuration information.
[21:03.080 --> 21:06.160]  The principle indicate like
[21:06.560 --> 21:10.040]  who has ownership on which machine.
[21:10.600 --> 21:13.500]  And we use interaction rules and policies
[21:13.500 --> 21:16.760]  to provide input to this attack graph
[21:16.760 --> 21:19.180]  with reasoning engine,
[21:19.180 --> 21:23.940]  which then generates attack graph for us.
[21:27.040 --> 21:29.980]  So before going any further,
[21:29.980 --> 21:40.020]  let's look at some information of these Mulwell rules.
[21:40.020 --> 21:42.460]  Mulwell is basically a reasoning system
[21:42.920 --> 21:45.040]  which encodes this information.
[21:45.040 --> 21:47.440]  And it's a work by University of Kansas,
[21:47.440 --> 21:54.100]  which we kind of used in our development of the ASAP system.
[21:54.100 --> 21:57.940]  So advisories show that what kind of vulnerability exists
[21:58.520 --> 22:00.820]  in the network, vulnerability property,
[22:00.820 --> 22:03.360]  host configuration shows that the web server
[22:04.140 --> 22:08.500]  has Apache software, it's running on port 80.
[22:08.960 --> 22:10.720]  This is the daemon.
[22:10.780 --> 22:14.920]  Network configuration is basically the access control list,
[22:14.920 --> 22:18.960]  which says that from internet to web server,
[22:18.960 --> 22:24.100]  there is a TCP connection that can be established on port 80.
[22:25.360 --> 22:30.980]  And principle show that a user has a user account on this PC
[22:30.980 --> 22:33.880]  and there is another system admin,
[22:33.880 --> 22:37.040]  which is kind of a root level account on the web server.
[22:37.040 --> 22:40.380]  So all these information we can obtain
[22:41.620 --> 22:43.460]  by scanning the network
[22:43.460 --> 22:47.620]  and by obtaining the host configuration information,
[22:47.620 --> 22:50.020]  the network rules.
[22:51.060 --> 22:56.640]  And then they go through these first order logic rules.
[22:56.640 --> 22:58.100]  So this is one of the rules,
[22:58.100 --> 23:00.420]  which says that if there is a vulnerability existing
[23:00.420 --> 23:02.360]  on host with vulnerability ID
[23:02.360 --> 23:05.900]  and the vulnerability has a property
[23:05.900 --> 23:08.700]  that it's a remote exploit,
[23:08.700 --> 23:13.360]  and there is a network service corresponding to this host
[23:13.360 --> 23:16.760]  and the attacker has a network access on this host
[23:16.760 --> 23:19.260]  and attacker is malicious,
[23:19.680 --> 23:22.300]  then this will lead to a code execution.
[23:23.380 --> 23:26.000]  So these are basically predicates of this rule
[23:26.000 --> 23:29.060]  and this is executed code by attacker on host
[23:29.060 --> 23:34.020]  and gaining of privilege is basically the host condition
[23:34.020 --> 23:35.800]  that is obtained
[23:36.200 --> 23:39.460]  when all these preconditions are satisfied.
[23:40.880 --> 23:44.020]  And we also use the policies
[23:45.320 --> 23:49.460]  which show the user access on different resources
[23:49.460 --> 23:54.020]  in the system to encode into these interaction rules.
[23:55.860 --> 23:58.480]  So this will be a logical attack graph
[23:58.480 --> 24:03.340]  of our system that we saw.
[24:03.340 --> 24:06.780]  You can think of attacker located on internet
[24:06.780 --> 24:08.560]  as this node zero.
[24:09.140 --> 24:13.080]  Then the node zero interacts with different nodes
[24:13.510 --> 24:16.440]  and these ovals represent the rules.
[24:16.800 --> 24:20.940]  So like one of this oval will be interaction rule.
[24:22.040 --> 24:22.960]  And based on that,
[24:22.960 --> 24:26.300]  the attacker progresses to the next privilege node.
[24:26.300 --> 24:31.720]  So we can think of this as like a root exploit
[24:31.720 --> 24:33.700]  on say Apache web server,
[24:33.700 --> 24:38.220]  then attacker probably gains some other network level access
[24:38.960 --> 24:42.200]  using another host condition of that graph
[24:42.200 --> 24:44.180]  and eventually reaches his goal
[24:45.420 --> 24:49.520]  of gaining root access on a database server
[24:49.520 --> 24:51.900]  by exploiting SQL injection.
[24:53.580 --> 25:00.080]  So the main brain or AI in this work is Cappuccino.
[25:00.240 --> 25:01.780]  So what Cappuccino does
[25:01.780 --> 25:04.640]  is it takes the information from attack graph
[25:04.640 --> 25:09.320]  and information about different configurations
[25:09.320 --> 25:13.420]  and vulnerability from this CV search database
[25:13.900 --> 25:16.480]  and log information from the Latte module
[25:17.680 --> 25:20.580]  to create a MDP graph.
[25:22.020 --> 25:26.660]  So MDP graph can then be used to derive attack plan
[25:27.260 --> 25:29.080]  that we as penetration testers
[25:29.080 --> 25:33.840]  will implement on the network.
[25:34.820 --> 25:37.640]  So let's see how the states can be extracted
[25:37.640 --> 25:39.200]  from attack graph.
[25:39.200 --> 25:41.080]  So there were fact nodes which shows
[25:41.080 --> 25:44.600]  that attacker was at internet initially
[25:45.480 --> 25:47.960]  and the next privilege node that he gained
[25:47.960 --> 25:52.540]  was a network access on say another machine FTP.
[25:54.160 --> 25:56.820]  So there are two things that attacker can do
[25:56.820 --> 25:58.740]  when he is located on internet,
[25:58.740 --> 26:00.280]  either he can take no action
[26:00.280 --> 26:05.140]  or he can exploit this vulnerability.
[26:06.420 --> 26:08.640]  Let's say the CV ID of this vulnerability
[26:08.640 --> 26:13.100]  is CV 2013 4124.
[26:13.100 --> 26:18.300]  So these will be the states that we can extract
[26:19.020 --> 26:23.300]  from attack graph to be used in our Markov game
[26:25.220 --> 26:27.660]  or our Markov decision process.
[26:28.180 --> 26:30.300]  So let's revisit the attack graph
[26:30.300 --> 26:33.920]  and let's see that for this another example,
[26:36.300 --> 26:40.840]  if there are two paths that attacker needs to take
[26:40.840 --> 26:44.600]  to be able to exploit this FTP machine.
[26:44.600 --> 26:48.620]  So one way he can go about is that he goes from SSH
[26:49.070 --> 26:50.960]  and then tries to exploit the FTP
[26:50.960 --> 26:56.340]  or another way is that he first exploit this web server
[26:56.340 --> 26:57.940]  and goes to FTP.
[26:59.740 --> 27:03.180]  So the corresponding attack graph for this network
[27:03.180 --> 27:06.120]  will be that attacker has SSH access,
[27:06.120 --> 27:08.600]  there is a SSH vulnerability,
[27:08.600 --> 27:11.240]  he exploits SSH, he gains a root on SSH
[27:12.460 --> 27:16.920]  or the attacker can also go through
[27:16.920 --> 27:19.120]  the exploitation of web server.
[27:19.120 --> 27:23.860]  So basically he goes through the web server
[27:23.860 --> 27:26.320]  to exploit some vulnerability on web server
[27:26.320 --> 27:29.620]  and then he reaches the FTP server.
[27:29.620 --> 27:32.220]  So in this graph, there are basically two paths
[27:32.220 --> 27:34.000]  that attacker can take.
[27:35.480 --> 27:39.980]  So if we are to obtain a Markov decision process from this,
[27:39.980 --> 27:44.080]  basically MDP has some components,
[27:44.080 --> 27:46.820]  state, action, transition and reward.
[27:47.580 --> 27:51.200]  So state represents the access that an attacker
[27:51.200 --> 27:53.900]  can obtain at any point in the network.
[27:53.900 --> 27:56.200]  So he can be a user in SSH,
[27:56.200 --> 27:57.700]  if he exploits the vulnerability,
[27:57.700 --> 28:00.540]  he can be a root user on SSH.
[28:00.700 --> 28:02.320]  If he exploits the web server,
[28:02.320 --> 28:05.320]  he can obtain a root on the web server
[28:05.320 --> 28:09.120]  and eventually he can also obtain a root on FTP.
[28:10.460 --> 28:13.800]  There are two actions that we use
[28:13.800 --> 28:18.500]  to simplify this Markov decision process.
[28:18.500 --> 28:21.120]  So in each state, attacker can either choose
[28:21.120 --> 28:24.080]  to take no action or he can choose
[28:24.080 --> 28:27.500]  to exploit the next vulnerability.
[28:27.960 --> 28:30.520]  And there are some probability values
[28:30.520 --> 28:33.020]  that are associated with these actions.
[28:33.020 --> 28:35.720]  And these probability values we will explain
[28:35.720 --> 28:39.160]  like how we derive meaningful probability values
[28:39.160 --> 28:41.120]  for the MDP.
[28:42.580 --> 28:44.140]  And we kind of relate these
[28:44.140 --> 28:47.180]  to the access complexity of the vulnerability.
[28:47.180 --> 28:50.360]  So if the access complexity is low,
[28:50.360 --> 28:53.660]  then probably it's easier to exploit that vulnerability
[28:53.660 --> 28:55.680]  and there is a higher probability
[28:55.680 --> 28:58.540]  of transitioning to the next state.
[29:01.500 --> 29:05.280]  And the rewards are the values attacker obtains
[29:05.800 --> 29:07.880]  by being in a particular state.
[29:07.880 --> 29:12.100]  Say attacker does not want to exploit that vulnerability.
[29:12.100 --> 29:15.240]  So he will have kind of a low reward.
[29:15.240 --> 29:18.000]  The reward is that basically he is not detected
[29:18.000 --> 29:21.760]  by say an intrusion detection system.
[29:21.760 --> 29:24.740]  So that's kind of a reward for him
[29:24.740 --> 29:27.420]  but it's not very big reward.
[29:28.380 --> 29:31.280]  As compared to if he is able to obtain a root account
[29:31.280 --> 29:33.060]  on one of the external services,
[29:33.060 --> 29:35.760]  that's a high positive reward.
[29:36.660 --> 29:39.840]  So we put this value like a plus five
[29:39.840 --> 29:42.920]  and we use the CVSS score of the vulnerabilities
[29:42.920 --> 29:45.700]  to derive the reward.
[29:46.400 --> 29:51.320]  So the reward can at any point be between zero and 10.
[29:52.580 --> 29:56.120]  And if there are uncertainty in the attacker action,
[29:56.120 --> 29:57.200]  this can be considered
[29:57.200 --> 30:01.020]  as a partially observable Markov decision process.
[30:01.980 --> 30:06.860]  But in this work, we are using the simple Markov decision
[30:06.860 --> 30:11.020]  process to show how we encode this attack information.
[30:12.100 --> 30:17.840]  And when we solve this Markov decision process
[30:17.840 --> 30:22.840]  using a value iteration solver, we obtain some policies.
[30:22.840 --> 30:26.960]  So policies are different paths that attacker can take
[30:27.580 --> 30:30.640]  to obtain some of his goals.
[30:31.740 --> 30:34.120]  And the reward for each path.
[30:34.120 --> 30:38.600]  So value iteration tries to maximize the value
[30:38.600 --> 30:46.060]  that an attacker can gain by following a particular policy.
[30:46.060 --> 30:47.680]  So there are two policies,
[30:47.680 --> 30:52.720]  like he can either exploit SSH, then exploit FTP,
[30:52.720 --> 30:55.640]  or he can exploit SSH, then go to web server
[30:55.640 --> 30:58.900]  and then exploit FTP.
[30:58.900 --> 31:02.140]  So obviously the reward in second policy is higher
[31:02.140 --> 31:04.500]  compared to first policy.
[31:04.800 --> 31:06.560]  But this is for a simplified network.
[31:06.560 --> 31:08.760]  We can hand encode these values
[31:08.760 --> 31:12.420]  and solve this Markov decision process.
[31:12.420 --> 31:13.900]  But as a penetration tester,
[31:13.900 --> 31:18.440]  if you are dealing with a very gigantic network,
[31:18.440 --> 31:20.480]  we would want to encode this information
[31:20.480 --> 31:23.380]  using some of the MDP solvers.
[31:25.180 --> 31:31.040]  So, as I mentioned, the states are the privilege level
[31:31.040 --> 31:32.400]  of the attacker.
[31:33.440 --> 31:37.340]  The value for the transition metric,
[31:37.340 --> 31:41.040]  which is basically the probability of transitioning
[31:41.040 --> 31:44.700]  from one state to next state using an action.
[31:44.700 --> 31:50.760]  So suppose S0 was a state of user access on SSH
[31:50.760 --> 31:55.660]  and S1 is the state of root access on SSH.
[31:57.420 --> 32:04.580]  And the access complexity of this vulnerability is low.
[32:04.580 --> 32:06.420]  That means that there is a high probability
[32:06.420 --> 32:09.960]  of transitioning to state S1.
[32:09.960 --> 32:16.380]  So we encode the value 0.9 for low access complexity,
[32:16.380 --> 32:19.180]  vulnerability 0.6 for medium,
[32:19.180 --> 32:24.880]  and 0.2 for a high access complexity
[32:24.880 --> 32:28.120]  because the vulnerabilities
[32:28.120 --> 32:30.120]  for which access complexity is high,
[32:30.120 --> 32:32.420]  they are obviously difficult to exploit.
[32:32.420 --> 32:34.560]  So there is a good chance that attacker will stay
[32:34.560 --> 32:38.120]  in state S0 if he tries to take an action.
[32:39.140 --> 32:43.660]  And the reward value basically for transitioning
[32:43.660 --> 32:49.020]  to state S1, if the CVSS score of the vulnerability is 6.4,
[32:49.020 --> 32:51.180]  that will be the reward that attacker will gain
[32:51.180 --> 32:53.680]  by transitioning to that state.
[32:57.580 --> 33:02.120]  So as we discussed, the states represent
[33:02.120 --> 33:03.920]  the current privilege level of attacker
[33:04.500 --> 33:08.700]  and the actions are the actions that attacker will take.
[33:09.040 --> 33:13.300]  And the transition probabilities are the values
[33:13.300 --> 33:15.440]  we derive from the access complexity
[33:15.440 --> 33:18.640]  of each CVSS vulnerability.
[33:20.540 --> 33:26.280]  And if we encode this information for action exploit SSH
[33:29.150 --> 33:32.650]  in a form of a transition metric,
[33:32.650 --> 33:35.370]  so by taking action exploit SSH,
[33:35.370 --> 33:39.070]  there is a 0.9% probability that attacker will go
[33:39.070 --> 33:41.410]  from state S0 to S1.
[33:41.410 --> 33:46.010]  So let's consider the rows 0, 1, and 2
[33:46.010 --> 33:47.630]  and columns 0, 1, and 2.
[33:47.630 --> 33:54.110]  So S0, S1, which is 0, 1 row and column,
[33:54.110 --> 33:57.870]  will show that there is a 0.9% probability
[33:57.870 --> 34:00.530]  that attacker will transition from S0 to S1
[34:00.530 --> 34:02.150]  by taking that action.
[34:02.150 --> 34:06.130]  But that action has no implication on other states.
[34:06.130 --> 34:08.950]  So if he was in state S1,
[34:08.950 --> 34:13.590]  then exploit SSH doesn't do a whole lot
[34:13.590 --> 34:16.750]  for going to state of S2.
[34:16.830 --> 34:21.270]  So attacker will remain in state S1 if he takes that action.
[34:23.930 --> 34:27.690]  So there is a high probability of being in state S1 and S2
[34:28.250 --> 34:32.730]  if he takes action exploit SSH in S1 and S2.
[34:33.670 --> 34:37.030]  And the reward, as we discussed,
[34:37.030 --> 34:43.150]  is the values he obtained by the CVSS score
[34:43.150 --> 34:44.250]  of those vulnerabilities.
[34:44.250 --> 34:47.530]  So if he takes action A in state S,
[34:47.530 --> 34:50.850]  it maps to a real number between 0 and 10.
[34:53.730 --> 34:57.310]  So as we discussed that taking no action
[34:57.310 --> 34:58.970]  will have a low reward,
[34:58.970 --> 35:03.270]  and exploiting SSH will have a positive reward,
[35:03.270 --> 35:05.210]  which, like if the CVSS score
[35:05.210 --> 35:07.470]  for this vulnerability was 6.4,
[35:07.470 --> 35:10.430]  that will be the reward of being in state S1.
[35:10.430 --> 35:13.770]  And similarly, the reward of being in state S2
[35:13.770 --> 35:16.570]  will correspond to the FTP vulnerability.
[35:20.290 --> 35:22.770]  So bridging it all together,
[35:22.770 --> 35:27.430]  how we arrive at Markov decision process from ATT&CK graph.
[35:27.430 --> 35:30.750]  So this is the algorithm that I designed.
[35:30.750 --> 35:34.510]  Basically, you pass the ATT&CK graph to get the nodes,
[35:34.510 --> 35:37.910]  which show the privilege of the attacker in step one.
[35:38.270 --> 35:40.990]  You find the CVIDs of these vulnerability
[35:40.990 --> 35:47.150]  that lead to this exploitation in step two.
[35:47.170 --> 35:49.030]  In step three from ATT&CK graph,
[35:49.030 --> 35:52.170]  you fetch the CVSS score of the vulnerabilities.
[35:53.110 --> 35:58.630]  In step four A, you use the CVSS score
[35:58.630 --> 36:01.110]  to create a reward metric,
[36:01.110 --> 36:05.710]  which show the actions and state transition mapping
[36:05.710 --> 36:06.850]  to a real value.
[36:06.850 --> 36:09.510]  So basically it will be say a column matrix
[36:09.510 --> 36:13.850]  for different CVSS score.
[36:13.930 --> 36:17.430]  In state four B,
[36:17.430 --> 36:19.370]  basically you use the access complexity
[36:19.370 --> 36:22.910]  to derive the transition metric.
[36:23.530 --> 36:28.890]  And you provide all this information to MDP solver.
[36:28.990 --> 36:32.670]  So the reward metric, the transition metric,
[36:32.670 --> 36:35.950]  the different states and the action.
[36:35.950 --> 36:37.890]  And we use the PyMDP solver
[36:37.890 --> 36:43.070]  as a solver with the value iteration function
[36:44.430 --> 36:46.670]  to generate an ATT&CK plan,
[36:46.670 --> 36:50.610]  which then we provide to this module PyMetaExploit
[36:51.270 --> 36:52.850]  that executes the ATT&CK plan
[36:52.850 --> 36:57.590]  and shows that how fast is this ATT&CK plan
[36:57.590 --> 36:59.250]  that we obtained.
[37:01.010 --> 37:03.390]  So for the validation of ATT&CK plan,
[37:03.390 --> 37:04.910]  like if the ATT&CK plan says
[37:04.910 --> 37:08.350]  that first exploit SSH and then FTP,
[37:08.350 --> 37:13.210]  we have MSRPC, which is a daemon of Metasploit,
[37:13.670 --> 37:17.590]  which is running and basically it uses the Python scripts
[37:17.590 --> 37:20.030]  to execute different plans.
[37:20.630 --> 37:25.310]  And tells us like what is the cost
[37:25.310 --> 37:27.010]  of running different ATT&CK plans,
[37:27.010 --> 37:30.310]  like how much time it took for different ATT&CK plans.
[37:31.490 --> 37:34.010]  So for MSRPC, you will need to have
[37:34.790 --> 37:39.390]  one of the MSRPC session running on one window
[37:39.390 --> 37:41.770]  and then on another window,
[37:41.770 --> 37:46.430]  you will execute your ATT&CK plan and see how it goes.
[37:48.250 --> 37:50.670]  So let's look.
[37:52.290 --> 37:55.290]  Yeah, so let's look at the demo.
[37:55.290 --> 37:58.190]  So we'll first go to here.
[37:59.070 --> 38:03.670]  So we can perform port scan
[38:06.440 --> 38:11.280]  to identify the services that are running on the network.
[38:11.280 --> 38:14.640]  What are the software versions of those services
[38:15.680 --> 38:17.480]  that are present?
[38:17.480 --> 38:20.100]  It will take some time.
[38:20.100 --> 38:23.010]  So in that meantime, we will go and
[38:25.140 --> 38:28.150]  check out the vulnerability scan
[38:28.150 --> 38:30.290]  that we have in our network.
[38:30.290 --> 38:33.540]  Basically, we have like a
[38:40.130 --> 38:45.270]  and we can see like this scan obtained
[38:45.270 --> 38:51.230]  a lot of vulnerability on a machine that we set up.
[38:51.230 --> 38:57.990]  There were about 71 vulnerabilities,
[38:59.530 --> 39:01.470]  which were a mixture of critical, high
[39:01.470 --> 39:08.740]  vulnerability and low vulnerability.
[39:08.740 --> 39:11.880]  So our ports can reveal some information
[39:11.880 --> 39:16.420]  that we basically need from the Stinger module.
[39:17.050 --> 39:22.240]  We have the CVE search API, basically,
[39:22.240 --> 39:25.920]  which provides us information on different
[39:28.360 --> 39:31.460]  vulnerability, like if you provide the CVE ID,
[39:31.460 --> 39:34.630]  it tells us the access complexity and CVSS score,
[39:34.630 --> 39:37.250]  which we will later use in Cappuccino.
[39:41.750 --> 39:45.290]  We have Nessus scanning APIs,
[39:45.290 --> 39:49.830]  which can be used for connecting with the backend
[39:53.360 --> 39:57.220]  of the Nessus on the provided port
[39:57.220 --> 40:00.380]  and basically check the
[40:02.620 --> 40:05.140]  state of the network scan,
[40:05.500 --> 40:07.440]  basically create policies
[40:07.440 --> 40:11.240]  and see like if the scan is running or not.
[40:11.780 --> 40:16.400]  We can basically export the scan using these APIs.
[40:16.400 --> 40:19.320]  One thing is that in latest version of Nessus,
[40:19.320 --> 40:21.580]  I think they have disabled some of these APIs,
[40:21.580 --> 40:25.160]  but if you are using the old version of Nessus,
[40:25.980 --> 40:27.920]  you can use these APIs.
[40:27.920 --> 40:31.700]  So the scan that we obtained from Nessus,
[40:31.700 --> 40:35.180]  we need to provide as input to the attack graph,
[40:36.180 --> 40:39.260]  which is our Americano module.
[40:43.720 --> 40:48.460]  And the Nessus scan file we obtained
[40:52.340 --> 40:57.600]  is this ASAP underscore something dot Nessus.
[40:57.600 --> 41:03.220]  This will serve as input to the attack graph.
[41:05.680 --> 41:11.040]  So Malware is a tool which uses this information.
[41:11.040 --> 41:16.300]  Basically translate the dot Nessus file
[41:18.760 --> 41:22.990]  using Nessus vulnerability translate.
[41:24.670 --> 41:28.080]  And this will generate a list of interaction rules
[41:28.930 --> 41:32.340]  and another script, which is a graphgen.sh
[41:32.340 --> 41:36.400]  can be used for obtaining the attack graph
[41:36.400 --> 41:38.700]  from this translated information.
[41:38.700 --> 41:41.900]  So I already have these files.
[41:41.900 --> 41:44.660]  So you will need to set up Nessus and XSB
[41:44.660 --> 41:48.240]  if you want to use the Americano module
[41:48.240 --> 41:51.460]  and I have the details in the readme file.
[41:54.330 --> 41:57.310]  So we run the malware module
[41:57.310 --> 42:00.970]  and the attack graph that we obtained,
[42:02.050 --> 42:04.490]  it has some nodes edges,
[42:04.490 --> 42:11.560]  which show the information about the network services,
[42:11.560 --> 42:13.000]  the different vulnerabilities
[42:13.000 --> 42:15.820]  that are present on this network,
[42:15.820 --> 42:17.540]  the interaction rules.
[42:19.080 --> 42:23.000]  If we check the visual representation,
[42:23.000 --> 42:24.460]  it will look something like this,
[42:24.460 --> 42:27.440]  like the attacker was initially on internet.
[42:27.500 --> 42:31.980]  Then he used some rules of access control list,
[42:31.980 --> 42:35.000]  which allowed the access to a particular port
[42:35.940 --> 42:40.460]  to have direct access on another machine.
[42:41.560 --> 42:44.040]  In the network, so he can network access.
[42:44.040 --> 42:46.440]  Then he used some other vulnerability
[42:46.440 --> 42:50.920]  to mount a remote exploit on one of the server programs.
[42:50.920 --> 42:59.500]  So this information is represented using a dot file.
[42:59.500 --> 43:02.740]  And we can obviously use some D3 libraries
[43:02.740 --> 43:05.700]  to improve the visualization,
[43:05.700 --> 43:08.780]  but this is how the attack graph will look like.
[43:09.690 --> 43:11.720]  So now we use this attack graph
[43:14.540 --> 43:20.640]  and we provide this information to the MDP solver,
[43:23.860 --> 43:27.040]  which is present in our Cappuccino module.
[43:38.390 --> 43:41.690]  So the attack graph parser basically parses the attack graph,
[43:41.690 --> 43:44.950]  obtains the information about the access complexity
[43:44.950 --> 43:48.370]  from the CV search.
[43:48.370 --> 43:54.090]  It checks the predecessor and successor nodes
[43:54.090 --> 43:56.990]  of the network, obtains the attributes
[43:56.990 --> 44:04.290]  that I described in the state transition.
[44:04.470 --> 44:08.290]  And basically it encodes this information
[44:08.290 --> 44:14.730]  in form of a Markov decision process.
[44:15.650 --> 44:18.090]  So if you run this code,
[44:20.110 --> 44:25.130]  basically the edge information will tell us
[44:25.130 --> 44:29.070]  if you are transitioning between two edges.
[44:29.070 --> 44:32.510]  So let's see, between 1007 and 994,
[44:33.270 --> 44:39.230]  the edge has labeled CV 2011-04-11.
[44:39.230 --> 44:40.770]  And then we will use this information
[44:40.770 --> 44:44.090]  to obtain the access complexity
[44:44.090 --> 44:46.630]  of that particular vulnerability
[44:49.110 --> 44:52.530]  from the attack graph and encode it
[44:52.530 --> 44:55.950]  in form of like a reward metric.
[44:55.950 --> 44:57.950]  Then the value iteration algorithm
[44:57.950 --> 45:02.230]  will learn the attack policy
[45:02.230 --> 45:06.830]  that is beneficial for the pentester in this case.
[45:06.830 --> 45:10.870]  I took a subset of the entire graph
[45:10.870 --> 45:13.590]  to run the value iteration algorithm
[45:13.590 --> 45:18.650]  and it tells us that taking action of exploit,
[45:18.650 --> 45:19.950]  so zero represents no action
[45:19.950 --> 45:22.610]  and one represents the exploit action.
[45:22.710 --> 45:25.670]  So in this state, taking a particular action
[45:25.670 --> 45:29.130]  will be beneficial for the attacker.
[45:30.470 --> 45:34.010]  So it will take some time to basically run
[45:34.010 --> 45:37.150]  the value iteration solver
[45:37.150 --> 45:39.910]  and it will give you a attack plan.
[45:46.930 --> 45:49.470]  We use the attack plan validator
[45:49.470 --> 45:53.270]  to basically validate the plan of attack.
[45:53.270 --> 45:57.790]  So we use the attack plan to exploit FTP
[45:59.610 --> 46:02.830]  and another SSH vulnerability.
[46:02.830 --> 46:05.930]  And basically you can see we obtained two shells
[46:06.190 --> 46:07.350]  in this case.
[46:08.610 --> 46:13.890]  And it took 0.35 seconds to complete.
[46:14.130 --> 46:18.670]  And basically using this attack plan validation,
[46:18.670 --> 46:22.550]  we can validate how much time it took
[46:22.550 --> 46:28.690]  for our attack plan to be finalized.
[46:31.430 --> 46:34.610]  So basically for the attack plan validation to work,
[46:34.610 --> 46:37.910]  you should have the MSF RPC daemon
[46:37.910 --> 46:39.710]  running in one shell, one session
[46:39.710 --> 46:44.030]  and you need to execute your attack plan in another session.
[46:46.090 --> 46:48.190]  So in summary, the threat landscape
[46:48.190 --> 46:50.450]  is very complex and ever-growing
[46:50.450 --> 46:57.010]  and the autonomous pen testing solution,
[46:57.010 --> 47:00.290]  like the one that we have used in ASAP,
[47:01.230 --> 47:06.550]  can help us navigate through this complex attack surface.
[47:07.270 --> 47:10.490]  And it is effort towards the generation
[47:10.490 --> 47:13.790]  of autonomous attack plans and their validation.
[47:15.170 --> 47:17.970]  So that is another module that we still have in progress
[47:17.970 --> 47:22.770]  and in future our plan is to use the log information
[47:22.770 --> 47:24.350]  to validate these attack plans
[47:24.350 --> 47:27.650]  and possibly also work for some kind
[47:27.650 --> 47:29.530]  of report generation tool,
[47:29.530 --> 47:32.610]  which help us generate the report
[47:32.610 --> 47:35.390]  on how these validation was performed
[47:35.390 --> 47:37.910]  for individual exploits.
[47:43.060 --> 47:46.440]  So thank you everyone for attending my talk.
[47:46.440 --> 47:50.520]  The source code is posted on the GitHub repo,
[47:50.520 --> 47:52.640]  the link which you can see.
[47:52.640 --> 47:56.460]  And if you want to contact me,
[47:56.460 --> 47:59.320]  here is my contact information.
[47:59.460 --> 48:03.060]  I appreciate the organizers of Red Team Village
[48:03.060 --> 48:06.080]  to give me a chance to speak
[48:06.080 --> 48:08.960]  at this year's Def Con Red Team Village
[48:08.960 --> 48:11.980]  and have fun, everyone.
